[Phpmyadmin-devel] Let's break master?

Dieter Adriaenssens dieter.adriaenssens at gmail.com
Tue Feb 21 13:29:54 CET 2012


Op 21 februari 2012 12:33 heeft Marc Delisle <marc at infomarc.info> het
volgende geschreven:
> Le 2012-02-21 04:43, Michal Čihař a écrit :
>> Hi
>>
>> all, I think we can agree on register globals being evil. So let's do
>> radical breakage in master and remove ./libraries/grab_globals.lib.php.
>> I know lot of things will get broken, but this is something what needs
>> to be done for 4.0 and I think it should be done ASAP to prevent any
>> new code using this.
>>
>> So I don't give you question whether to do this, but rather when to do
>> this with possible rationale for the choice:
>>
>> - right now - anyway people should be using QA_3_5 so master breakage
>>   should not matter
>>
>> - after releasing 3.5 - developers can focus on master after releasing
>>   3.5
>>
>> - after releasing 3.5.1 - final release 3.5 will most likely bring lot
>>   of bug reports, which will need to be fixed in 3.5.1
>
> I think that right now is a good time, before we get too busy with 3.5.1.
>
> What do you suggest? remove the library, add a big warning to demo and
> then test everything?

Harsh, but effective. It might break some functionality for some time,
but it probably is the fastest way. Unless there is a way of detecting
every place were this register_globals is needed?

> Also, I suggest to get rid of $_REQUEST, because the origin of its
> contents is unclear. Ideally, at every place where we refer to
> $_REQUEST, a comment should explain the possible origin of the contents.

What do you suggest? Only to use $_POST or $_GET instead of $_REQUEST?
I don't see another way of getting the values of url variables.

Maybe we could create a function/class to get the value of a POST/GET
variable and check the validity? I mean, if you need input from a url
variable, you call the function with some parameters : variable name,
allowed origin (POST, GET, COOKIE, SESSION, ...), type of data
(string, bool, int, ...); and the function checks this and returns the
value if it is safe.
So all $_REQUEST, $_POST, $_GET, $_COOKIE, ... in the code should be
replaced by a call to this function.
What do you think?

Kind regards,

Dieter




More information about the Developers mailing list